Feature

Log management reins in security and network device data

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Tips from the 2007 Security 7 Awards."

Download it now to read this article plus other related content.

How to Deal With New E-Discovery Rules
Federal regulations require companies to take stock of the data they keep and how they manage it.

Many different technologies, including log management tools, can gather information to help satisfy the latest federal rules on electronic evidence discovery. And that's a good thing because in a recent survey of IT managers by Osterman Research, more than half said they'd rather have a cavity filled than respond to an e-discovery request.

Last December, the Federal Rules of Civil Procedure were updated to address electronically stored information in the pre-trial discovery process.

The new rules require that companies be able to identify relevant electronic evidence in a timely and complete way, with exceptions granted for data that's not reasonably accessible or not kept as a matter of routine operations.

So before you head to the dentist, consider what kinds of tools you currently have, what kinds of information are already being collected, and whether any of this is suitable for e-discovery purposes.

"There are now 38 states with some form of mandatory disclosure laws," says Robert Whiteley, an analyst with Forrester Research. "It is only a matter of time before everyone has to worry about compromised assets and the potential for legal

    Requires Free Membership to View

action."

In any legal challenge, first take a look at the time frames involved, and whether you actually have the data you think you have. Some data may already have been removed from your archives because of how you set up various systems.

Osterman's survey found that 25 percent of the organizations polled purge their email manually or automatically after 90 days or less. This may not be suitable when laws such as SOX, HIPAA and various European laws require archives of multiple years worth of information. Look at how your email system can create longer-term archives for these purposes. Nearly one-third of organizations Osterman surveyed admitted that, even if they had to, they would not be able to produce an email that is a year old.

"Organizations have had to pay fines in certain cases when they had destroyed or missing records," says Larry Dietz, managing director at security consulting firm Tal Global.

Products such as LiveOffice Managed Messaging Services can help store and index Microsoft Exchange email, set predetermined retention periods, and automatically archive messages to offload the active email servers.

Second, understand what kind of data is actually required for evidence. Email usually comes to mind first, but other data can be requested in these types of legal actions, including instant message logs. Reuters this year started selling Messaging Compliance Manager, which allows customers to log all Reuters Messaging communications for up to seven years.

However, legal requests can go beyond messaging applications. "Security logs can be an issue in cases of intellectual property theft or financial malfeasance," says Dietz. "The SIM might contain the pointers for what evidence is needed to respond to the lawsuit, rather than have the actual evidence themselves."

Third, if you do actually have the data, what steps are you taking to safeguard logs for evidentiary purposes? If and when you do get sued, you will have to show that the log data your systems have collected has not been tampered with, and that some form of digital signature is still intact.

"There is no clear point-by-point situation that is the court-approved method of collecting log information," says Anton Chuvakin, director of product management at LogLogic. "Everything is subject to case law and judicial interpretation. But if logs are collected in the normal course of business, and if this process were relatively solid and protected, then they would be likely admitted as evidence."

--DAVID STROM

This was first published in October 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: